MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add: [vulnerability_lookup] Parsing JVNDB descriptions

pull/709/head
Christian Studer 2024-12-16 16:42:53 +01:00
parent 4ff402e117
commit 157ac8ca99
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 50 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
misp_modules/modules/expansion/vulnerability_lookup.py
View File

@ -46,6 +46,14 @@ class VulnerabilityLookupMapping(VulnerabilityMapping):
'details': 'description',
'modified': 'modified'
}
__jvn_mapping = {
'sec:identifier': 'id',
'description': 'description',
'title': 'summary',
'link': 'references',
'dcterms:issued': 'published',
'dcterms:modified': 'modified'
}
__nvd_mapping = {
'id': 'id',
'published': 'published',
@ -67,6 +75,7 @@ class VulnerabilityLookupMapping(VulnerabilityMapping):
'cve': '_parse_cve_description',
'ghsa': '_parse_standard_description',
'gsd': '_parse_gsd_description',
'jvndb': '_parse_jvn_description',
'mal': '_parse_ossf_description',
'pysec': '_parse_standard_description',
'var': '_parse_variot_description'
@ -103,6 +112,10 @@ class VulnerabilityLookupMapping(VulnerabilityMapping):
def gsd_mapping(cls) -> dict:
return cls.__gsd_mapping
@classmethod
def jvn_mapping(cls) -> dict:
return cls.__jvn_mapping
@classmethod
def nvd_mapping(cls) -> dict:
return cls.__nvd_mapping
@ -144,7 +157,7 @@ class VulnerabilityLookupParser(VulnerabilityParser):
)
getattr(self, feature)(lookup_result)
def _parse_aliases(self, aliases: list) -> Iterator[str]:
def _parse_aliases(self, *aliases: tuple[str]) -> Iterator[str]:
for alias in aliases:
query = requests.get(f"{api_url}/vulnerability/{alias}")
if query.status_code != 200:
@ -266,6 +279,40 @@ class VulnerabilityLookupParser(VulnerabilityParser):
return vulnerability_object.uuid
def _parse_jvn_description(self, lookup_result: dict) -> str:
vulnerability = MISPObject('vulnerability')
for field, relation in self.mapping.jvn_mapping().items():
vulnerability.add_attribute(relation, lookup_result[field])
for cpe in lookup_result.get('sec:cpe', []):
cpe_value = cpe.get('#text')
if cpe_value is not None:
vulnerability.add_attribute('vulnerable-configuration', cpe_value)
misp_object = self.misp_event.add_object(vulnerability)
for reference in lookup_result.get('sec:references', []):
source = reference.get('@source')
if source is None and reference.get('@id', '').startswith('CWE-'):
title = reference.get('@title')
if title is not None:
weakness = MISPObject('weakness')
weakness.add_attribute('id', reference['@id'])
weakness.add_attribute('description', title)
misp_object.add_reference(
self.misp_event.add_object(weakness).uuid, 'weakened-by'
)
else:
misp_object.add_reference(
self.misp_event.add_attribute(
type='weakness', value=reference['@id']).uuid,
'weakened-by'
)
continue
if source == 'JVN':
misp_object.add_attribute('references', reference['#text'])
elif source == 'CVE':
for referenced_uuid in self._parse_aliases(reference['@id']):
misp_object.add_reference(referenced_uuid, 'related-to')
return misp_object.uuid
def _parse_nvd_related_description(self, nvd_description: dict) -> str:
misp_object = MISPObject('vulnerability')
for field, relation in self.mapping.nvd_mapping().items():
@ -306,7 +353,7 @@ class VulnerabilityLookupParser(VulnerabilityParser):
)
if lookup_result.get('aliases'):
for vuln_uuid in self._parse_aliases(lookup_result['aliases']):
for vuln_uuid in self._parse_aliases(*lookup_result['aliases']):
vulnerability_object.add_reference(vuln_uuid, 'related-to')
return vulnerability_object.uuid
@ -328,7 +375,7 @@ class VulnerabilityLookupParser(VulnerabilityParser):
vulnerability_object = self.misp_event.add_object(misp_object)
if lookup_result.get('aliases'):
for vuln_uuid in self._parse_aliases(lookup_result['aliases']):
for vuln_uuid in self._parse_aliases(*lookup_result['aliases']):
vulnerability_object.add_reference(vuln_uuid, 'related-to')
return vulnerability_object.uuid